Benki β†’ All Posts

next page β‡’

A way to spin up ephemeral containers in a running Kubernetes pod that have access to the same process namespace as the running ones. Used to run debugging tools in production.

A bot that creates pull requests for project dependency updates. Supports multiple target languages.

A free-as-in-freedom RHEL derivative similar to what CentOS was before it was converted into the CentOS Stream rolling release distribution, called into life by the original founder of CentOS.

A CI-agnostic build and deployment pipeline definition tool. Works locally, too.

A container build tool that runs inside a container, requiring no additional privileges. Suitable for use inside a Kubernetes pod. Supports reproducible (timestamp-less) builds out of the box.

Matthias #

Well-maintained (or not) OpenJDK Docker images

Here is a list of major OpenJDK vendors and the container images they offer.

Vendor Image name Tag Release cycle Base OS Remarks
Azul docker.io/azul/zulu-openjdk 17 LTS Ubuntu
Azul docker.io/azul/zulu-openjdk-alpine 17 LTS Alpine Linux
Azul docker.io/azul/zulu-openjdk-centos 17 LTS CentOS
Azul docker.io/azul/zulu-openjdk-debian 17 LTS Debian
BellSoft docker.io/bellsoft/liberica-openjdk-alpine 17 LTS Alpine (glibc)
BellSoft docker.io/bellsoft/liberica-openjdk-alpine latest non-LTS Alpine (glibc)
BellSoft docker.io/bellsoft/liberica-openjdk-alpine-musl 17 LTS Alpine (musl)
BellSoft docker.io/bellsoft/liberica-openjdk-alpine-musl latest non-LTS Alpine (musl)
BellSoft docker.io/bellsoft/liberica-openjdk-centos 17 LTS CentOS
BellSoft docker.io/bellsoft/liberica-openjdk-centos latest non-LTS CentOS
BellSoft docker.io/bellsoft/liberica-openjdk-debian 17 LTS Debian
BellSoft docker.io/bellsoft/liberica-openjdk-debian latest non-LTS Debian
Eclipse docker.io/library/eclipse-temurin latest non-LTS Ubuntu recommended non-LTS1
Eclipse docker.io/library/eclipse-temurin 17 LTS Ubuntu recommended LTS1
Eclipse docker.io/library/eclipse-temurin 17-alpine LTS Alpine
Google gcr.io/distroless/java17-debian11 latest LTS Debian
Microsoft mcr.microsoft.com/openjdk/jdk 17-ubuntu LTS Ubuntu
Microsoft mcr.microsoft.com/openjdk/jdk 17-mariner LTS CentOS (derivative)
Microsoft mcr.microsoft.com/openjdk/jdk 17-cbld LTS Debian (derivative)
Oracle container-registry.oracle.com/java/openjdk latest non-LTS Oracle Linux recommended non-LTS2
Red Hat registry.access.redhat.com/ubi8/openjdk-17 latest LTS RHEL (UBI)4 recommended LTS3
Red Hat registry.access.redhat.com/ubi8/openjdk-17-runtime latest LTS RHEL (UBI)4

General remarks:

As is apparent from the list, most vendors do not offer a rolling non-LTS image. Be careful when using a non-LTS image pinned to a specific version as its time under support will be quite limited. Rolling non-LTS images that always update to the latest OpenJDK version are fine (and may in fact be more secure and reliable than any LTS image considering that OpenJDK Updates primarily consists of backports from later versions).

Generally speaking, Docker images, particularly OpenJDK images, tend to drift from the latest update state of the base OS underlying them. It is probably a good idea to build your own runtime image (perhaps based on something like UBI Micro (manual)) and keep it up to date through a nightly CI job.

I cannot recommend any Alpine-based images at present because there are too many dependencies on glibc specifics (see also) in the ecosystem and using glibc on Alpine is not a supported configuration.

Footnotes:

  1. Being a widely deployed image with lots of attention given to it, the Temurin image is probably the one you want if you prefer Ubuntu over RHEL. Be warned, though, that they have been a little slow (by a few days) to respond to the most recent OpenJDK security updates.

  2. Oracle is the main sponsor of OpenJDK. New OpenJDK releases tend to find their way into their image promptly. Oracle Linux is also a generally well-maintained and secure base; do note, however, that the OpenJDK image is typically only updated when a new OpenJDK is released, so you have to install system package updates yourself.

  3. Red Hat is the second largest contributor to OpenJDK (after Oracle) and one of the sponsors of the OpenJDK 17 Updates project and is typically quick to release security patches. UBI8 is also a well-maintained and secure image base.

  4. UBI is a trimmed-down version of RHEL that Red Hat distribute free of charge as part of their container image offerings.

A web application and JMX client that runs in your Kubernetes cluster to pull Java Flight Recorder dumps from pods and store them in a central location for later processing.

While you can always use kubectl exec in conjunction with kubectl cp to pull a dump in a pinch, this sounds nicer.

A JavaScript rich text editor that can only do simple things and enforces a correspondingly simple structure on the document being edited. Takes HTML as input and outputs HTML, but deliberately does not allow direct HTML editing.

next page β‡’